Description
Unauthenticated PHP Object Injection in Kapee < 1.7.0 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated PHP Object Injection in versions of the Kapee WordPress theme prior to 1.7.0 allows an attacker to inject a serialized PHP object into the application. The vulnerability is classified as CWE‑502 and can lead to arbitrary code execution or other persistent compromise of the affected site. The impact is significant, as it would give an attacker full control over the impacted WordPress installation.

Affected Systems

The affected product is the Kapee theme developed by PressLayouts. All installations running any Kapee version earlier than 1.7.0 are vulnerable; the change log confirms that the fix is included in the first release of 1.7.0.

Risk and Exploitability

The CVSS v3.1 score of 8.1 indicates a high severity. The EPSS score of less than 1% suggests that concrete exploitation attempts are currently rare, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the flaw permits unauthenticated exploitation and can result in remote code execution, the risk remains high. The likely attack vector involves submitting a crafted serialized object through HTTP requests that the theme processes, a technique that does not require elevated privileges on the site.

Generated by OpenCVE AI on June 17, 2026 at 20:37 UTC.

Remediation

Vendor Solution

Update the WordPress Kapee Theme to the latest available version (at least 1.7.0).


OpenCVE Recommended Actions

  • Update the WordPress Kapee Theme to version 1.7.0 or later to eliminate the PHP Object Injection flaw.
  • If the theme update cannot be applied immediately, disable the theme and switch to a default WordPress theme to prevent execution of legacy code.
  • Implement a web application firewall rule or similar input validation that blocks HTTP requests containing serialized PHP objects to reduce the chance of exploitation while awaiting the update.

Generated by OpenCVE AI on June 17, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Presslayouts
Presslayouts kapee
Wordpress
Wordpress wordpress
Vendors & Products Presslayouts
Presslayouts kapee
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Kapee < 1.7.0 versions.
Title WordPress Kapee theme < 1.7.0 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Presslayouts Kapee
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:42:30.709Z

Reserved: 2026-04-07T08:24:32.861Z

Link: CVE-2026-39446

cve-icon Vulnrichment

Updated: 2026-06-17T10:42:25.642Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:30Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data